Stored Cross-Site Scripting Vulnerability in Jenkins Email Extension Plugin
CVE-2023-25763

5.4MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Email Extension Plugin
Vendor
CVE Published:
15 February 2023

Summary

The Jenkins Email Extension Plugin versions 2.93 and earlier are susceptible to a stored cross-site scripting (XSS) vulnerability. This arises from the lack of proper escaping for various fields included in the email templates that are bundled with the plugin. Attackers who can manipulate these fields could exploit the vulnerability, executing arbitrary scripts in the context of the affected user's session.

Affected Version(s)

Jenkins Email Extension Plugin <= 2.93

Jenkins Email Extension Plugin 2.89.0.1

References

https://www.jenkins.io/security/advisory/2023-02-15/#SECU...
http://www.openwall.com/lists/oss-security/2023/02/15/4
mailing-list

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.